Table Of Contents
PDM Support for PIX Firewall CLI Commands
Parse and Allow Changes
Parse Without Allowing Changes
Parse and Only Permit Access to the Monitoring Tab
Only Display in Unparseable Command List
PDM Support for PIX Firewall CLI Commands
This appendix describes how PDM handles PIX Firewall CLI (command-line interface) commands.
This appendix includes the following sections:
•Parse and Allow Changes
•Parse Without Allowing Changes
•Parse and Only Permit Access to the Monitoring Tab
•Only Display in Unparseable Command List
Note PIX Firewall commands that you enter at the command line, but do not appear in the configuration are not supported in PDM. These are the clock, configure, copy, debug, disable, enable, exit, flashfs, help, perfmon, quit, session, and setup commands. The clear uauth, kill, ping, reload, show, who, and write commands that also do not appear in the configuration are incorporated directly into the PDM interface.
Note PDM does not currently support VPN and IPSec commands. These are the ca, crypto, ip local pool, and vpdn commands. The isakmp identity command is supported for use with the SSL feature of PDM.
Parse and Allow Changes
Table A-1 lists the commands that PDM fully supports. PDM parses these commands in a PIX Firewall configuration and allows PDM to operate successfully.
Exceptions are noted in the table and occur when PDM cannot parse certain combinations of command statements. For all exceptions, refer to the Parse and Only Permit Access to the Monitoring Tab section for information on how to correct each problem. Commands that PDM cannot parse stay in the configuration, their values cannot be changed with PDM, and they appear in the list of unparseable commands.
Table A-1 Commands That PDM Parses and Allows in Configuration
Command
|
Description
|
aaa command, include option
|
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command.
|
aaa command, match acl_name option
|
Apply authentication, authorization, or accounting to an access list. Exception: PDM cannot parse this command if an access-group command statement shares the same acl_name.
|
aaa-server
|
Specify an AAA server.
|
access-list and access-group
|
Create an access list and bind it to an interface.
Exceptions: PDM cannot parse these commands if:
•Combining the access-list command with the conduit and/or outbound command.
•Configuring access-list command statements without an associated access-group command, unless the access-list command statement is used in conjunction with an aaa command statement.
•Configuring multiple access-group command statements with the same acl_name for different interfaces.
•Using an acl_name for multiple purposes, such as in an access-group command and in an aaa command, or in an aaa authentication match command statement and in an aaa authorization match command statement.
|
apply
|
Apply outbound command statements to an interface.
|
auth-prompt
|
Change the AAA challenge text.
|
conduit
|
Add, delete, or show conduits through the PIX Firewall for incoming connections. Exception: PDM cannot parse this command if you combine it with the access-list command.
|
dhcp
|
Implement the DHCP server feature.
|
domain-name
|
Specify the PIX Firewall domain.
|
enable password
|
Set the privileged mode password.
|
failover
|
Change or view access to the optional failover feature.
|
filter
|
Enable or disable outbound URL or HTML object filtering.
|
fixup protocol
|
Change, enable, disable, or list a PIX Firewall application protocol feature.
|
global
|
Create or delete entries from a pool of global addresses.
|
hostname
|
Change the host name in the PIX Firewall command line prompt.
|
http
|
Configure PDM access.
|
icmp
|
Enable or disable pinging to an interface.
|
interface
|
Identify network interface speed and duplex.
|
ip address
|
Identify addresses for network interfaces.
|
ip audit
|
Configure IDS signature use.
|
ip verify reverse-path
|
Implement unicast RPF IP spoofing protection.
|
logging
|
Enable or disable syslog and SNMP logging.
|
name
|
Associate a name with an IP address.
|
nameif
|
Specify name and security level for an interface.
|
nat
|
Associate a network with a pool of global IP addresses.
|
outbound
|
Create an access list to control outbound connections.
Exceptions:
•Using the outbound command with the except option.
•Combining the access-list command with the conduit and/or outbound command.
|
passwd
|
Set password for Telnet access to the firewall console
|
pdm
|
Specify PDM commands.
|
rip
|
Change RIP settings.
|
route
|
Enter a static or default route for the specified interface.
|
service resetinbound
|
Send reset to denied inbound TCP packet.
|
service resetoutside
|
Send reset to denied TCP packet to the outside interface.
|
snmp-server
|
Provide SNMP event information.
|
ssh
|
Specify a host for PIX Firewall console access via Secure Shell (SSH).
|
static
|
Map the local IP address to a global IP address. Exception: Inbound PAT using the static command is not parsed.
|
sysopt
|
Change the PIX Firewall system options. Exception: The route dnat and nodnsalias options cannot be parsed.
|
telnet
|
Specify host for PIX Firewall console access via Telnet.
|
tftp-server
|
Specify the IP address of the TFTP configuration server.
|
timeout
|
Set the maximum idle time duration.
|
url-cache
|
Cache responses to URL filtering requests to the Websense server.
|
url-server
|
Designate a server running Websense for use with the filter url command.
|
Parse Without Allowing Changes
Table A-2 lists supported PDM commands that cannot be changed. PDM parses these commands in the PIX Firewall configuration and handles them transparently.
Table A-2 Commands That PDM Supports That Cannot Be Changed
Command
|
Description
|
arp
|
Change or view the ARP cache, and set the timeout value.
|
floodguard
|
Enable or disable Flood Defender to protect against flood attacks.
|
isakmp identity [address | hostname]
|
Specify the identity for obtaining IPSec certificate by either IP address or hostname.
|
mtu
|
Specify the MTU (maximum transmission unit) for an interface.
|
nat [(if_name)] 0 access-list acl_name
|
Associate network address translation to an access list.
PDM does not support the nat 0 access-list command. PDM prompts you to confirm whether or not you are using the nat 0 access-list command for crypto (VPN) commands only. If you respond with y, PDM ignores the command and gives you full access to PDM. If you respond with n, in which case you are using this command for both VPN and with other PIX Firewall configuration features, PDM is not able to understand this usage and forces PDM into a limited state where you can only access the Monitoring tab.
|
pager
|
Enable or disable screen paging.
|
sysopt nodnsalias inbound
|
Disable inbound embedded DNS A record fixups according to aliases that apply to the A record address.
|
sysopt nodnsalias outbound
|
Disable outbound DNS A record replies.
|
sysopt route dnat
|
Specify that when an incoming packet does a route lookup, the incoming interface is used to determine which interface the packet should go to, and which is the next hop.
|
terminal
|
Change the console terminal settings.
|
virtual
|
Access the PIX Firewall virtual server.
|
Parse and Only Permit Access to the Monitoring Tab
Table A-3 lists commands that PDM does not support in a configuration. If the commands are present in your configuration, you can only use the Monitoring tab.
Table A-3 Commands That PDM Can Only Use in Limited Access Mode
Command
|
Description
|
alias
|
Administer overlapping addresses with dual NAT. Also permits inside interface access to a DNS server on a perimeter interface.
|
establish
|
Permit return connections on ports other than those used for the originating connection based on an established connection.
|
outbound id except
|
Create an access list to control outbound connections.
|
static [used for inbound PAT]
|
Funnel inbound connections through a single IP address.
|
nat [(if_name)] 0 access-list acl_name
|
Associate an access list with network address translation.
If used only for VPN purposes, PDM parses and ignores this command. If used for non-VPN use, or mixed with VPN and non-VPN use, only the Monitoring tab can be accessed. When this command is encountered in your configuration, you are prompted to specify its purpose.
|
In addition, the following command combinations also limit access to only the Monitoring tab:
•aaa command with the match option appearing in the configuration with other aaa commands that contain the include or exclude options. For example, the following commands would not be parsed by PDM:
access-list 101 permit tcp any any
aaa authentication include http inside 1.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 portal
aaa accounting match 101 inside portal
You can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.
•Combining the access-list and access-group command statements with conduit and/or outbound command statements. For example, the following commands appearing anywhere in the configuration (not necessarily together) would not be parsed by PDM:
access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0
access-group 101 in interface outside
conduit permit icmp any any
•Using an ACL (access control list) for multiple interfaces. For example, the access-list eng permit ip any server1 255.255.255.255:
access-group eng in interface perim
access-group eng in interface outside
•Using an ACL name for multiple purposes such as in an access-group command statement and in an aaa command statement. For example, the following commands would not be parsed by PDM:
access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224
access-group acl_out in interface outside
aaa authentication match acl_out outside AuthIn
In this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement without an accompanying access-group command statement and then applying that to the aaa command statement. For example:
access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224
aaa authentication match acl_out2 outside AuthIn
•Using an ACL for multiple purposes (such as authentication, authorization, or accounting). For example, the following command statements cannot be parsed by PDM:
access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224
aaa authentication match acl_out2 outside AuthIn
aaa authorization match acl_out2 outside AuthIn
In this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another access-list command statement the same as the first and applying that in the aaa authorization command.
For example:
access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224
aaa authentication match acl_out2 outside AuthIn
aaa authorization match acl_out3 outside AuthIn
•Applying an outbound command statement group to multiple interfaces. For example, the following command statements would not be parsed by PDM:
outbound 13 deny 0.0.0.0 0.0.0.0 0 0
outbound 13 permit 0.0.0.0 0.0.0.0 389 tcp
outbound 13 permit 0.0.0.0 0.0.0.0 30303 tcp
outbound 13 permit 0.0.0.0 0.0.0.0 53 udp
apply (inside) 13 outgoing_src
apply (perim) 13 outgoing_src
Only Display in Unparseable Command List
The following commands are ignored when encountered by PDM, and are displayed in the list of unparseable commands:
Note PDM does not change or remove these commands from your configuration.
•All IPSec VPN crypto commands with the exception of isakmp identity command. This includes the ip local pool, sysopt connection permit-pptp, and vpdn commands.
•Access lists not applied to any interface and not applied to a aaa command statement—A group of access-list command statements without an accompanying access-group command statement or aaa match acl command statement. For example:
access-list eng permit ip any server1 255.255.255.255
access-list eng permit ip any server2 255.255.255.255
access-list eng permit ip any server3 255.255.255.255
access-list eng deny ip any any
•A list of outbound command statements without an associated apply command statement.